using hardware performance events for instruction level
play

Using Hardware Performance Events for Instruction-Level Monitoring - PowerPoint PPT Presentation

Feb 18, 2024 •49 likes •759 views

Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture Sebastian Vogl and Claudia Eckert {vogls,eckertc}@in.tum.de Chair for IT Security Technische Universitt Mnchen Munich, Germany 10.04.2012 S. Vogl

  1. Using Hardware Performance Events for Instruction-Level Monitoring on the x86 Architecture Sebastian Vogl and Claudia Eckert {vogls,eckertc}@in.tum.de Chair for IT Security Technische Universität München Munich, Germany 10.04.2012 S. Vogl and C. Eckert (TUM) 10.04.2012 1 / 42

  2. Outline Motivation 1 Performance Monitoring Counters (PMCs) 2 PMC-based Instruction-level Monitoring (ILM) 3 Experiments & Results 4 Summary 5 S. Vogl and C. Eckert (TUM) 10.04.2012 2 / 42

  3. Outline Motivation 1 Performance Monitoring Counters (PMCs) 2 PMC-based Instruction-level Monitoring (ILM) 3 Experiments & Results 4 Summary 5 S. Vogl and C. Eckert (TUM) 10.04.2012 3 / 42

  4. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? My Research Make use of full hardware virtualization to detect malware infections and exploitation attempts . S. Vogl and C. Eckert (TUM) 10.04.2012 4 / 42

  5. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vulnerable> 40070c: mov 0x0, %EAX vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 5 / 42

  6. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vu 0x40070c (RET) vuln lner erab able le> 40070c: mov 0x0, %EAX vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 6 / 42

  7. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vulnerable> 0x40070c (RET) 40070c: mov 0x0, %EAX RBP vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 7 / 42

  8. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vulnerable> 0x40070c (RET) 40070c: mov 0x0, %EAX RBP vulnerable 400584: push %rbp 400585: mov %rsp,% ,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 8 / 42

  9. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vulnerable> 0x40070c (RET) 40070c: mov 0x0, %EAX RBP BUFFER vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 9 / 42

  10. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main * /bin/bash DATA exit 400707: call 400584 <vulnerable> system 40070c: mov 0x0, %EAX DATA (EBP) vulnerable DATA 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 10 / 42

  11. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main * /bin/bash DATA exit 400707: call 400584 <vulnerable> system 40070c: mov 0x0, %EAX DATA (EBP) vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: : leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 11 / 42

  12. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main * /bin/bash DATA exit 400707: call 400584 <vulnerable> 40070c: mov 0x0, %EAX system vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> 4006b2: leave 4006b3: ret system S. Vogl and C. Eckert (TUM) 10.04.2012 12 / 42

  13. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? One possible Solution Make use of a Shadow Stack to verify the target of return instructions. S. Vogl and C. Eckert (TUM) 10.04.2012 13 / 42

  14. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vulnerable> 40070c: mov 0x0, %EAX vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> Shadow Stack 4006b2: leave 4006b3: ret S. Vogl and C. Eckert (TUM) 10.04.2012 14 / 42

  15. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main DATA 400707: call 400584 <vu 0x40070c (RET) vuln lner erab able le> 40070c: mov 0x0, %EAX vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> Shadow Stack 4006b2: leave 4006b3: ret 0x40070c (RET) S. Vogl and C. Eckert (TUM) 10.04.2012 15 / 42

  16. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Stack main * /bin/bash DATA exit 400707: call 400584 <vu vuln lner erab able le> 40070c: mov 0x0, %EAX system vulnerable 400584: push %rbp 400585: mov %rsp,%rbp 400588: sub $0x20,%rsp <vulnerable code> Shadow Stack 4006b2: leave 4006b3: ret 0x40070c (RET) system EIP: system S. Vogl and C. Eckert (TUM) 10.04.2012 16 / 42

  17. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Observation A Shadow Stack for return addresses can be implemented on the hypervisor-level by only trapping call and return instructions. S. Vogl and C. Eckert (TUM) 10.04.2012 17 / 42

  18. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Observation A Shadow Stack for return addresses can be implemented on the hypervisor-level by only trapping call and return instructions. ILM Requirements Based on full hardware virtualization 1 S. Vogl and C. Eckert (TUM) 10.04.2012 17 / 42

  19. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Observation A Shadow Stack for return addresses can be implemented on the hypervisor-level by only trapping call and return instructions. ILM Requirements Based on full hardware virtualization 1 Secure 2 S. Vogl and C. Eckert (TUM) 10.04.2012 17 / 42

  20. Motivation ▸ Why Instructions-Level Monitoring (ILM) ? Observation A Shadow Stack for return addresses can be implemented on the hypervisor-level by only trapping call and return instructions. ILM Requirements Based on full hardware virtualization 1 Secure 2 Flexible 3 S. Vogl and C. Eckert (TUM) 10.04.2012 17 / 42

  21. Motivation ▸ Why a new ILM mechanism? Existing Approaches Page-Fault (PF) -based ILM 1 Debug Register (DR) -based ILM 2 Trap Flag (TF) -based ILM 3 S. Vogl and C. Eckert (TUM) 10.04.2012 18 / 42

  22. Motivation ▸ Why a new ILM mechanism? Existing Approaches Page-Fault (PF) -based ILM 1 Debug Register (DR) -based ILM 2 3 Trap Flag (TF)-based ILM S. Vogl and C. Eckert (TUM) 10.04.2012 19 / 42

  23. Motivation ▸ Why a new ILM mechanism? Existing Approaches Page-Fault (PF) -based ILM 1 Debug Register (DR) -based ILM 2 3 Trap Flag (TF)-based ILM ▸ Insecure S. Vogl and C. Eckert (TUM) 10.04.2012 19 / 42

  24. Motivation ▸ Why a new ILM mechanism? Existing Approaches Page-Fault (PF) -based ILM 1 Debug Register (DR) -based ILM 2 3 Trap Flag (TF)-based ILM ▸ Insecure ▸ Incomplete S. Vogl and C. Eckert (TUM) 10.04.2012 19 / 42

  25. Motivation ▸ Why a new ILM mechanism? Existing Approaches Page-Fault (PF) -based ILM 1 Debug Register (DR) -based ILM 2 3 Trap Flag (TF)-based ILM ▸ Insecure ▸ Incomplete ▸ Inflexible S. Vogl and C. Eckert (TUM) 10.04.2012 19 / 42

  26. Motivation ▸ Why a new ILM mechanism? Existing Approaches Page-Fault (PF) -based ILM 1 Debug Register (DR) -based ILM 2 3 Trap Flag (TF)-based ILM ▸ Insecure ▸ Incomplete ▸ Inflexible ⇒ None of the existing methods can provide the desired flexbility . S. Vogl and C. Eckert (TUM) 10.04.2012 19 / 42

  27. Outline Motivation 1 Performance Monitoring Counters (PMCs) 2 PMC-based Instruction-level Monitoring (ILM) 3 Experiments & Results 4 Summary 5 S. Vogl and C. Eckert (TUM) 10.04.2012 20 / 42

  28. Performance Monitoring Counters (PMCs) ▸ Overview Performance Monitoring on the x86 architecture Performance Events S. Vogl and C. Eckert (TUM) 10.04.2012 21 / 42

  29. Performance Monitoring Counters (PMCs) ▸ Overview Performance Monitoring on the x86 architecture Performance Events PMCs that count these events S. Vogl and C. Eckert (TUM) 10.04.2012 21 / 42

  30. Performance Monitoring Counters (PMCs) ▸ Overview Performance Monitoring on the x86 architecture Performance Events PMCs that count these events ▸ Which event is counted can be programmed. S. Vogl and C. Eckert (TUM) 10.04.2012 21 / 42

  31. Performance Monitoring Counters (PMCs) ▸ Overview Performance Monitoring on the x86 architecture Performance Events PMCs that count these events ▸ Which event is counted can be programmed. ▸ Can be set to raise an interrupt on overflow. S. Vogl and C. Eckert (TUM) 10.04.2012 21 / 42

  32. Performance Monitoring Counters (PMCs) ▸ Performance Events All instructions ▸ All branch instructions ▸ All conditional branch instructions ▸ All near call instructions ▸ All near return instructions ▸ All far branch instructions ▸ S. Vogl and C. Eckert (TUM) 10.04.2012 22 / 42

  33. Outline Motivation 1 Performance Monitoring Counters (PMCs) 2 PMC-based Instruction-level Monitoring (ILM) 3 Experiments & Results 4 Summary 5 S. Vogl and C. Eckert (TUM) 10.04.2012 23 / 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS356 Unit 4 x86 Instruction Set 4.2 Why Learn Assembly Understand hardware limitations

CS356 Unit 4 x86 Instruction Set 4.2 Why Learn Assembly Understand hardware limitations

4.1 CS356 Unit 4 x86 Instruction Set 4.2 Why Learn Assembly Understand hardware limitations Understand performance Use HW options that high-level languages don't allow (e.g., operating systems, utilizing special HW features, etc.)

1.11k views • 94 slides
Instruction Set Design Instruction Set Architecture: to what purpose? ISA provides the level

Instruction Set Design Instruction Set Architecture: to what purpose? ISA provides the level

Instruction Set Design Instruction Set Architecture: to what purpose? ISA provides the level of abstraction between the software and the hardware One of the most important abstraction in CS Its narrow, well-defined, and mostly

401 views • 39 slides
PERFORMANCE OPTIMISATION Adrian Jackson adrianj@epcc.ed.ac.uk Hardware design Image from Colfax

PERFORMANCE OPTIMISATION Adrian Jackson adrianj@epcc.ed.ac.uk Hardware design Image from Colfax

PERFORMANCE OPTIMISATION Adrian Jackson adrianj@epcc.ed.ac.uk Hardware design Image from Colfax training material Pipeline Simple five stage pipeline: 1. Instruction fetch get instruction from instruction cache 2. Instruction decode

759 views • 44 slides
PERFORMANCE OPTIMISATION Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Hardware design

PERFORMANCE OPTIMISATION Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Hardware design

PERFORMANCE OPTIMISATION Adrian Jackson adrianj@epcc.ed.ac.uk @adrianjhpc Hardware design Image from Colfax training material Pipeline Simple five stage pipeline: 1. Instruction fetch get instruction from instruction cache 2.

966 views • 44 slides
Overview Instruction level parallelism Dynamic Scheduling Techniques Scoreboarding

Overview Instruction level parallelism Dynamic Scheduling Techniques Scoreboarding

Overview Instruction level parallelism Dynamic Scheduling Techniques Scoreboarding Chapter 2 Tomasulos Algorithm Reducing Branch Cost with Dynamic Hardware Reducing Branch Cost with Dynamic Hardware Prediction

274 views • 6 slides
Introduction CPU performance factors Instruction count

Introduction CPU performance factors Instruction count

Morgan Kaufmann Publishers 22 March, 2012 4.1 Introduction Introduction CPU performance factors Instruction count Determined by ISA and compiler CPI and Cycle time Determined by CPU hardware

959 views • 22 slides
Instruction-Level Parallelism (ILP) Fine-grained parallelism Obtained by: instruction

Instruction-Level Parallelism (ILP) Fine-grained parallelism Obtained by: instruction

Instruction-Level Parallelism (ILP) Fine-grained parallelism Obtained by: instruction overlap in a pipeline executing instructions in parallel (later, with multiple instruction issue) ILP hindered by: data dependence : arises

340 views • 21 slides
ProfileMe : Hardware-Support for Instruction-Level Profiling on Out-of-Order Processors Jeffrey

ProfileMe : Hardware-Support for Instruction-Level Profiling on Out-of-Order Processors Jeffrey

ProfileMe : Hardware-Support for Instruction-Level Profiling on Out-of-Order Processors Jeffrey Dean Jamey Hicks Carl Waldspurger Jeffrey Dean Jamey Hicks Carl Waldspurger William Weihl George Chrysos Digital

340 views • 21 slides
Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel

Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel

Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel Computers Dynamic Scheduling (Section 3.4, 3.5) Dynamic Branch Prediction (Section 3.3, 3.9, and Appendix C) Hardware Speculation and Precise Interrupts

656 views • 28 slides
Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel

Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel

Chapter 3 Instruction-Level Parallelism and its Exploitation (Part 3) ILP vs. Parallel Computers Dynamic Scheduling (Section 3.4, 3.5) Dynamic Branch Prediction (Section 3.3, 3.9, and Appendix C) Hardware Speculation and Precise Interrupts

733 views • 24 slides
Instruction Set Architecture 9/20/16 Overview How to directly interact with hardware

Instruction Set Architecture 9/20/16 Overview How to directly interact with hardware

Instruction Set Architecture 9/20/16 Overview How to directly interact with hardware Instruction set architecture (ISA) Interface between programmer and CPU Established instruction format (assembly lang) Assembly programming

696 views • 45 slides
LogCA: A High-Level Performance Model for Hardware Accelerators Muhammad Shoaib Bin Altaf* David

LogCA: A High-Level Performance Model for Hardware Accelerators Muhammad Shoaib Bin Altaf* David

Everything should be made as simple as possible, but not simplerAlbert Einstein LogCA: A High-Level Performance Model for Hardware Accelerators Muhammad Shoaib Bin Altaf* David A. Wood University of Wisconsin-Madison * Now at AMD Research,

329 views • 19 slides
Motivations Instruction cache (icache) misses can FICO drastically decrease code performance a

Motivations Instruction cache (icache) misses can FICO drastically decrease code performance a

Motivations Instruction cache (icache) misses can FICO drastically decrease code performance a Fast Instruction Cache Optimizer The problem is even more important for 1-level direct mapped caches Author: Marco Garatti On Lx ST210 the icache

477 views • 4 slides
Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

1. Introduction 2. Binary Representation Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5. Standard input and output Hardware has been defined as 6. Operators, expression and statem ents the

238 views • 3 slides
Hardware Support for Hardware Support for Out-of-Order Instruction Out-of-Order Instruction

Hardware Support for Hardware Support for Out-of-Order Instruction Out-of-Order Instruction

Hardware Support for Hardware Support for Out-of-Order Instruction Out-of-Order Instruction Profiling on Alpha 21264a Profiling on Alpha 21264a Lance Berc Berc &amp; Mark Vandevoorde &amp; Mark Vandevoorde Lance Joint work with: Jennifer

342 views • 21 slides
Chapter 2 Chapter 2 Instruction-Level Parallelism and Its Exploitation p 1 Overview

Chapter 2 Chapter 2 Instruction-Level Parallelism and Its Exploitation p 1 Overview

Chapter 2 Chapter 2 Instruction-Level Parallelism and Its Exploitation p 1 Overview Instruction level parallelism Dynamic Scheduling Techniques D namic Sched ling Techniq es Scoreboarding Tomasulos Algorithm

611 views • 36 slides
Learning Automatic Schedulers through Projective Reparameterization Ajay Jain Saman Amarasinghe

Learning Automatic Schedulers through Projective Reparameterization Ajay Jain Saman Amarasinghe

Learning Automatic Schedulers through Projective Reparameterization Ajay Jain Saman Amarasinghe Challenges in ML for Systems Ajay Jain Learning automatic schedulers through projective reparameterization Challenges in ML for Systems 1.

384 views • 19 slides
STACK AND HEAP: COMMONLY ABUSED TERMS Simon Brand Codeplay Soware Ltd. AGENDA A bit about

STACK AND HEAP: COMMONLY ABUSED TERMS Simon Brand Codeplay Soware Ltd. AGENDA A bit about

STACK AND HEAP: COMMONLY ABUSED TERMS Simon Brand Codeplay Soware Ltd. AGENDA A bit about me What misuse am I talking about? Why is it wrong? What does the standard say? What terms should we use instead? C++ AND ME Work with C++ daily

637 views • 24 slides
How Julia Goes Fast Leah Hanson Main Points 1. Design choices make Julia fast. 2. Design and

How Julia Goes Fast Leah Hanson Main Points 1. Design choices make Julia fast. 2. Design and

How Julia Goes Fast Leah Hanson Main Points 1. Design choices make Julia fast. 2. Design and implementation choices work together. 3. You should try using Julia. 1. What problem is Julia solving? 2. What design choices does that lead to? 3.

972 views • 74 slides
Lecture 2: Processor Design, Single-Processor Performance G63.2011.002/G22.2945.001 September

Lecture 2: Processor Design, Single-Processor Performance G63.2011.002/G22.2945.001 September

Lecture 2: Processor Design, Single-Processor Performance G63.2011.002/G22.2945.001 September 14, 2010 Intro Basics Assembly Memory Pipelines Outline Intro The Basic Subsystems Machine Language The Memory Hierarchy Pipelines Intro

970 views • 72 slides
1 2/26/2020 void multstore Today Code Examples (long x, long y, long *dest) { long t =

1 2/26/2020 void multstore Today Code Examples (long x, long y, long *dest) { long t =

2/26/2020 Mechanisms in Procedures P( ) { Passing control To beginning of procedure code Machine-Level Programming III: y = Q(x); Back to return point print(y) Procedures Passing data } Procedure

496 views • 11 slides
Lifting program binaries with McSema Peter Goodman, Akshay Kumar Introductions Peter Goodman

Lifting program binaries with McSema Peter Goodman, Akshay Kumar Introductions Peter Goodman

Lifting program binaries with McSema Peter Goodman, Akshay Kumar Introductions Peter Goodman Akshay Kumar Senior Security Engineer Senior Security Engineer peter@trailofbits.com akshay.kumar@trailofbits.com 2 2 Overview of this workshop

1.03k views • 89 slides
Livepatching FreeBSD kernel Maciej Grochowski Maciej.Grochowski[at]protonmail.com EuroBSDcon

Livepatching FreeBSD kernel Maciej Grochowski Maciej.Grochowski[at]protonmail.com EuroBSDcon

Livepatching FreeBSD kernel Maciej Grochowski Maciej.Grochowski[at]protonmail.com EuroBSDcon 2018 University Politehnica of Bucharest Bucuresti, Romania September 22 23, 2018 Outline Problem statement Some background Why we

710 views • 19 slides
CS356 Unit 6 x86 Procedures Basic Stack Frames 6.2 Review of Program Counter (Instruc. Pointer)

CS356 Unit 6 x86 Procedures Basic Stack Frames 6.2 Review of Program Counter (Instruc. Pointer)

6.1 CS356 Unit 6 x86 Procedures Basic Stack Frames 6.2 Review of Program Counter (Instruc. Pointer) PC/IP is used to fetch an instruction PC/IP contains the address of the next instruction The value in the PC/IP is placed on the

1.5k views • 33 slides

More recommend